Who’s Trying to Murder the Internet?

An inside look at the most basic and effective way for hackers to shut down someone’s website.

By Rick Paulas

(Photo: Michael Bocchieri/Getty Images)

As we continue to slide down the ramp of the strangest American presidential election of all time, it’s becoming harder to have the bandwidth to be aware of any other current events going on. But if there’s one story from the last few weeks that should worm its way into your purview, it’s this one, just in time for the Halloween season: Someone is trying to murder the entire Internet!

The scenario peaked earlier today, when massive numbers of websites (including Twitter, Spotify, Netflix, and scores of others) were taken down for an extended period of time after a cyber attack on the Domain Name System provider Dyn. Worse than the attack itself is the fact that really, this is just the beginning.

[S]ome of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in [Distributed Denial of Service attacks] against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated.

A Distributed Denial of Service attack (DDoS) is the most basic and effective way to shut down someone’s website. It’s essentially flooding a site with so much traffic that the server can’t handle normal operations. “If someone has a bigger pipe than you, they flood you with traffic until you fall over,” Schneier says. “Or, they’ve ordered so many pizzas delivered to your house that you can’t get home because your street is all parked up. You flood the site with so much fake traffic, real traffic can’t get through. That’s a DDoS.”

It’s the same method of attack that hit security author Brian Krebs’ website last month with approximately 665 Gigabits of traffic per second, forcing him to take his site down for a period of time. (For comparison, Netflix recommends a connection of 25 Megabits per second to stream their Ultra HD quality video.) But what was most surprising about the attack on Krebs’ site was the method that was employed.

It’s like using a powerful microphone to amplify a person’s voice, versus someone actually having to shout.

Rather than hacking their way into unused servers that amplify the traffic being sent so it feels like an overwhelming amount—the most obvious means of unleashing these massive attacks—this one against Krebs used a method where the actual traffic being sent was huge.

“That suggests the attackers behind this record assault launched it from quite a large collection of hacked systems — possibly hundreds of thousands of systems,” Krebs writes in his explanation. It’s like using a powerful microphone to amplify a person’s voice, versus someone actually having to shout. (It was later determined that 1.5 million connected cameras, linked through the Internet of Things, was used in the attack.)

This method of attack is important because it’s similar to how someone’s trying to shut down the entire Internet, Schneier says. And, potentially, it could have been the method used in today’s attacks.

While Schneier hasn’t been able to name sources of the companies he has been speaking to about the attacks, the heightened frequency jives with information released by Verisign, an Internet company that offers network security services. Every quarter, it releases a report on the types and frequency of attacks it’s seeing. The latest report shows an increase of 75 percent in DDoS attacks. As the company’s public relations representative told me, it “points to the fact that DDoS attacks show no signs of slowing down, and this type of attack continues to be frequent, persistent and complex.”

But this isn’t just about attacks on Verisign, a company large enough that, as Schneier puts it, “if it goes down, there’s a global blackout of all websites and e-mail addresses in the most common top-level domains.” Or even Dyn, which resulted in today’s massive outages. It’s all of them at once, coordinated across multiple domain registers and server companies that, if struck at once, would be enough to take down a good chunk, if not all, of the Internet. (Keep in mind: not for good, or even an extended period of time, but enough to disrupt all sorts of activities.)

But the goal of this attack likely isn’t to actually take down the Internet. Rather, it’s to figure out how to take down the Internet, in case some future scenario presents itself where that tactic becomes worthwhile. “Militaries generally think about the unthinkable,” Schneier says. “What would we do if we drop a nuclear bomb in New York? Even though that’s insane to you or I, governments have reports on that. There is a nuclear bomb in Russia with the address of New York in the navigation computer. It exists. The capability exists. This [series of attacks] is like that.”

The attacks Schneier has been following are similar to probing. The DDoS attacks come and force the companies to ramp up their defense capabilities, and so the attacks heighten a little further, and so on, as if they’re testing how much firepower they need. It’s kind of like going to the gun range and shooting through various levels of armor to see what they can pierce through.

As far as who is likely behind these probes? The attack is too complex and massive to be an independent activist group or criminal organization, narrowing the possibilities to some country’s military cyberforce. While there’s been no official confirmation as to which country is testing this Internet nuclear bomb, Schneier says evidence points in one direction. “It looks like China,” he says. “Yeah, it’s China.”

In any case, the possibility that one of these countries — or some unknown cyber cabal — is testing ways to take down the Internet should be enough to alleviate any concerns that, after this election’s over, things will be boring once again.